codebyplan 1.13.52 → 1.13.54

package/templates/skills/cbp-setup-cd/reference/github-actions-cd.md

@@ -0,0 +1,231 @@
+# GitHub Actions CD Reference
+
+Workflow anatomy, OIDC setup, drift-guard guidance, and per-surface credential
+var-name lists for the `codebyplan cd` scaffold.
+
+## Overview
+
+GitHub Actions CD runs on every push to main (path-filtered per surface). The
+`codebyplan cd scaffold-workflow` command writes `.github/workflows/publish.yml`
+(npm surface) and `.github/workflows/release-desktop.yml` (Tauri surface) from
+bundled canonical templates.
+
+Workflow triggers:
+
+```yaml
+# publish.yml (npm surface)
+on:
+  push:
+    branches: [main, 'feat/**']
+    paths: ['packages/<package>/**']
+  workflow_dispatch:
+    inputs:
+      dry_run: { type: boolean, default: false }
+
+# release-desktop.yml (Tauri surface)
+on:
+  push:
+    branches: [main]
+    paths: ['apps/desktop/**']
+  workflow_dispatch: {}
+```
+
+## publish.yml Structure (npm surface)
+
+Key sections of the scaffolded npm workflow:
+
+| Section | What it does |
+| ------- | ------------ |
+| `check-version` job | Reads `package.json` version, compares against npm registry, sets `should_publish` output |
+| `publish-codebyplan` job | Builds the package, upgrades npm for OIDC, publishes via `npm publish --access public --tag <dist_tag>` |
+| `tag-and-release` job | Creates a `v<version>` git tag and GitHub release (idempotent) |
+| `id-token: write` permission | Required for OIDC Trusted Publishing — no long-lived `NPM_TOKEN` needed |
+
+The `check-version` job enforces several guards:
+
+- **main push + stable version**: compares committed version against npm registry; publishes only when version is strictly greater.
+- **main push + prerelease version**: skipped — prerelease versions on main require `workflow_dispatch` or a `feat/**` branch.
+- **feat/** push + stable version**: skipped — feat branches require a prerelease version (e.g. `1.2.0-beta.1`).
+- **feat/** push + prerelease version**: publishes only if the exact version is not already on npm (exact-version guard).
+- **workflow_dispatch**: always publishes (recovery / forced re-publish path).
+
+Scaffold only this workflow:
+
+```bash
+npx codebyplan cd scaffold-workflow --workflow publish
+```
+
+Path filters are baked into the workflow templates (they are not a CLI flag) — edit
+the generated `.github/workflows/publish.yml` `paths:` block directly if your package
+lives elsewhere.
+
+## release-desktop.yml Structure (Tauri surface)
+
+Key sections of the scaffolded Tauri workflow:
+
+| Section | What it does |
+| ------- | ------------ |
+| `check-version` job | Reads `apps/desktop/src-tauri/tauri.conf.json` version, checks whether `desktop-v<version>` tag exists |
+| `build` job (matrix) | Builds macOS (arm64 + x86_64) and Windows (x86_64) using `tauri-apps/tauri-action` |
+| `notify` job | Downloads `latest.json` from the GitHub release, posts release metadata to the CodeByPlan API |
+| `contents: write` permission | Required to create tags and GitHub releases |
+
+The build matrix:
+
+| Platform | Target | Label |
+| -------- | ------ | ----- |
+| `macos-latest` | `aarch64-apple-darwin` | macOS (Apple Silicon) |
+| `macos-latest` | `x86_64-apple-darwin` | macOS (Intel) |
+| `windows-latest` | `x86_64-pc-windows-msvc` | Windows (x86_64) |
+
+Windows leg is skipped when `WINDOWS_CERTIFICATE` secret is absent — lets macOS-only
+notarized releases ship while the Windows EV cert is being procured.
+
+## OIDC Setup for npm Publish
+
+npm Trusted Publishing (OIDC) eliminates long-lived `NPM_TOKEN` secrets. GitHub exchanges
+a short-lived OIDC token for a publish credential at workflow runtime.
+
+**Requirements:**
+
+1. npm >= 11.5.1 (the workflow upgrades npm before publishing — no manual action needed).
+2. A Trusted Publisher entry on npmjs.com configured for this repo + workflow.
+3. `id-token: write` permission on the publish job (already in the scaffolded template).
+4. No `registry-url:` on `actions/setup-node` — that would inject `_authToken` into
+   `.npmrc`, shadowing the OIDC exchange and causing `E404`.
+
+**Configuring the Trusted Publisher on npmjs.com:**
+
+1. Go to `https://www.npmjs.com/package/<package-name>/access`.
+2. Under **Trusted Publishers**, click **Add a publisher**.
+3. Fill in:
+   - Publisher type: `GitHub Actions`
+   - Repository owner: `<github-org>`
+   - Repository name: `<repo-slug>`
+   - Workflow filename: `publish.yml`
+   - Environment: (blank unless a GitHub Environment is used)
+4. Save.
+
+After the first successful publish, no further action is needed unless the workflow
+filename or repo changes.
+
+**Prerelease dist-tag routing:**
+
+The workflow computes the dist-tag from the version string:
+
+| Version | dist-tag |
+| ------- | -------- |
+| `1.2.3` | `latest` |
+| `1.2.3-beta.1` | `beta` |
+| `1.2.3-rc.1` | `rc` |
+
+Consumers install the stable channel with `npm install <pkg>` and the prerelease channel
+with `npm install <pkg>@beta`.
+
+## Drift Guard
+
+Both workflow files may be adopted from the canonical templates via:
+
+```bash
+npx codebyplan cd scaffold-workflow [--force]
+```
+
+Without `--force`, the skill shows a diff of the existing file vs the template before
+overwriting. **Never silently overwrite a customized workflow** — always diff first and
+confirm.
+
+Drift from the canonical template accumulates when:
+
+- The repo patches a workflow inline (e.g. changes `node-version`).
+- A new version of the template ships in `codebyplan` but the repo has not re-run
+  `/cbp-setup-cd`.
+
+Recommended practice: re-run `/cbp-setup-cd` after each `codebyplan` version bump that
+mentions workflow changes in its changelog; review the diff before accepting.
+
+## Per-Surface Credential Var-Name Reference
+
+Credential ENV VAR NAMES only — never the values. Set these as GitHub repository secrets
+at Settings → Secrets and variables → Actions.
+
+### npm surface (OIDC — no long-lived token required)
+
+When `oidc_auth: true` (recommended):
+
+| Var name | Purpose |
+| -------- | ------- |
+| *(none required)* | OIDC handles auth via Trusted Publisher; no secret needed |
+
+When `oidc_auth: false` (fallback):
+
+| Var name | Purpose |
+| -------- | ------- |
+| `NPM_TOKEN` | Long-lived npm automation token (scoped to the package) |
+
+### tauri surface
+
+| Var name | Required | Purpose |
+| -------- | -------- | ------- |
+| `TAURI_SIGNING_PRIVATE_KEY` | Yes | Updater artifact signing (all platforms) |
+| `TAURI_SIGNING_PRIVATE_KEY_PASSWORD` | Yes | Passphrase for the signing key |
+| `APPLE_CERTIFICATE` | macOS only | Base64-encoded `.p12` developer certificate |
+| `APPLE_CERTIFICATE_PASSWORD` | macOS only | Password for the `.p12` certificate |
+| `APPLE_SIGNING_IDENTITY` | macOS only | Certificate common name (`Developer ID Application: …`) |
+| `APPLE_API_ISSUER` | macOS only | App Store Connect API issuer UUID |
+| `APPLE_API_KEY` | macOS only | App Store Connect API key ID |
+| `APPLE_API_KEY_CONTENT` | macOS only | Contents of the `.p8` API key file (for notarization) |
+| `WINDOWS_CERTIFICATE` | Windows only | Base64-encoded EV certificate (`.pfx`) |
+| `WINDOWS_CERTIFICATE_PASSWORD` | Windows only | Password for the `.pfx` certificate |
+| `CODEBYPLAN_API_KEY` | notify job | API key for posting release metadata to the CodeByPlan API |
+
+The Windows leg is skipped automatically when `WINDOWS_CERTIFICATE` is absent — macOS
+notarized releases can ship independently while the Windows EV cert is being procured.
+
+### vscode surface
+
+| Var name | Required | Purpose |
+| -------- | -------- | ------- |
+| `VSCE_PAT` | Yes | VS Code Marketplace Personal Access Token |
+
+### expo surface
+
+| Var name | Required | Purpose |
+| -------- | -------- | ------- |
+| `EXPO_TOKEN` | Yes | EAS build + submit token |
+
+## Troubleshooting
+
+**publish.yml fails with `E401 Unauthorized`** — npm Trusted Publishing is not configured
+on npmjs.com. Follow the OIDC Setup section above. Common mistake: the workflow filename in
+the Trusted Publisher entry does not match the actual workflow filename (e.g. `release.yml`
+vs `publish.yml`).
+
+**publish.yml fails on `check if publish needed`** — GitHub Actions billing block or
+spending-limit hit. Read the run annotations in the GitHub Actions UI, fix billing, run
+`gh run rerun --failed <run-id>`, then merge manually if needed.
+
+**release-desktop.yml: macOS build fails with `code signing error`** — the Apple
+certificate in `APPLE_CERTIFICATE` secret is expired or the `APPLE_SIGNING_IDENTITY`
+does not match the certificate's common name exactly. Verify with `security find-identity
+-p codesigning -v` on a local Mac.
+
+**release-desktop.yml: Windows leg skipped unexpectedly** — the `WINDOWS_CERTIFICATE`
+secret may be empty or set to a blank string. An empty (but present) secret evaluates to
+`''`, which the `env.HAS_WINDOWS_CERT` check treats as absent. Verify the secret value in
+Settings → Secrets.
+
+**Version already published on npm, workflow skips** — expected behavior for the stable
+channel on main. If a re-publish is needed, use `workflow_dispatch` with `dry_run: false`.
+
+**release-desktop.yml: tag already exists** — the `check-version` job detects the tag and
+sets `should_release=false`. To re-release the same version, delete the `desktop-v<x>` tag
+and re-run the workflow.
+
+## Provider Roadmap
+
+Additional CD provider reference docs are planned:
+
+- `reference/gitlab-cd.md` — GitLab CI/CD release pipelines
+- `reference/circleci-cd.md` — CircleCI release orbs
+
+These will follow the same structure as this document when authored.

package/templates/skills/cbp-setup-ci/SKILL.md

@@ -0,0 +1,175 @@
+---
+scope: org-shared
+name: cbp-setup-ci
+description: Detect CI platforms, write/update .codebyplan/ci.json, scaffold the GitHub Actions CI workflow, and enforce the required CI status check on the main branch. Interactive, idempotent.
+argument-hint: "[--force]"
+effort: xhigh
+allowed-tools: Read, Write, Edit, Bash(cat *), Bash(jq *), Bash(test *), Bash(ls *), Bash(codebyplan ci *), Bash(npx codebyplan ci *), Bash(gh api *), Bash(gh auth *), AskUserQuestion
+---
+
+# CI Setup
+
+Configure `.codebyplan/ci.json`, scaffold `.github/workflows/ci.yml`, and register the
+required GitHub status check so every PR runs a uniform CI gate.
+
+Invoke at any time. Already-configured platforms are preserved unless `--force` is passed.
+Pass `--force` to re-detect all platforms and overwrite existing platform keys.
+
+## Arguments
+
+Inspect `$ARGUMENTS` for `--force`. If present, set `force_mode = true`.
+Absent: idempotent mode — existing platform keys in `.codebyplan/ci.json` are preserved;
+`ci.yml` is not overwritten unless `--force`.
+
+## Step 1 — Detect platforms + read current state
+
+Run detection and read the existing config:
+
+```bash
+npx codebyplan ci init --dry-run --json
+cat .codebyplan/ci.json 2>/dev/null || echo '{}'
+```
+
+The first command lists detected platform slugs without writing any files. The second reads
+the current config for the idempotency check.
+
+Display a detection table:
+
+```
+Platform  | Detected | Configured | Status
+--------- | -------- | ---------- | ------
+next_js   | yes      | yes        | configured
+package   | yes      | no         | new
+nestjs    | no       | no         | absent
+tauri     | no       | no         | absent
+vscode    | no       | no         | absent
+expo      | no       | no         | absent
+```
+
+Also show workflow + required-check state if `.codebyplan/ci.json` exists:
+
+```bash
+jq '.workflow // {}' .codebyplan/ci.json 2>/dev/null
+```
+
+## Step 2 — Confirm the detected set
+
+`codebyplan ci init` writes ci.json from signal-based auto-detection (next.config /
+`@nestjs/core` / tauri.conf.json / `@types/vscode` / expo / a `packages/` dir) — it does NOT
+accept an explicit platform list. So this step CONFIRMS the detected set; it is not a free
+selector (a deselected platform cannot be withheld from `ci init`, and an undetected one
+cannot be added through it).
+
+AskUserQuestion (single choice):
+
+```
+Detected platforms: <list from Step 1>.
+These (merged with any already in .codebyplan/ci.json) will be written. Proceed?
+
+A) Proceed — write the detected platforms (recommended)
+B) Cancel — stop without writing
+```
+
+If an expected platform is MISSING: add its detection signal (e.g. a `next.config.ts`, or
+`@nestjs/core` in package.json) and re-run — detection is signal-based, not free-form.
+To DROP a platform: remove its signal and re-run with `--force`, or edit `.codebyplan/ci.json`
+directly. Without `--force`, existing platform keys are always preserved.
+
+## Step 3 — Write .codebyplan/ci.json
+
+Run `codebyplan ci init` to write the detected platforms:
+
+```bash
+npx codebyplan ci init [--force]
+```
+
+The CLI deep-merges newly confirmed platforms into the existing config; existing keys are
+left unchanged without `--force`. Confirm by reading back the result:
+
+```bash
+npx codebyplan ci init --dry-run --json
+```
+
+## Step 4 — Scaffold GitHub Actions workflow
+
+Preview, then write `.github/workflows/ci.yml`:
+
+```bash
+npx codebyplan ci scaffold-workflow --dry-run
+```
+
+If the workflow already exists and `--force` is not set, confirm with the user before
+writing. Then write:
+
+```bash
+npx codebyplan ci scaffold-workflow [--force] [--pnpm-version 10] [--node-version 22]
+```
+
+The scaffolded workflow installs pnpm + Node, caches the pnpm store, installs deps with
+`pnpm install --frozen-lockfile`, and runs full-repo checks under a single job named
+**Lint + typecheck + test + build**.
+
+If the CLI errors (network, missing bin), print the manual workflow template from
+`reference/github-actions.md` and continue — workflow authoring is non-fatal.
+
+## Step 5 — Enforce required status check
+
+Register the GitHub required status check on the main branch:
+
+```bash
+npx codebyplan ci enforce-check [--branch main] [--check-name "Lint + typecheck + test + build"]
+```
+
+Behaviour:
+- `workflow.required_check_enforced: true` already in `ci.json` — skip and report.
+- `gh auth` not configured or API call fails with a permissions error — print the manual
+  fallback and point to `reference/github-actions.md` § Manual Setup.
+- On success: the CLI writes `workflow.required_check_enforced: true` to `ci.json`.
+
+**Name-match rule**: `--check-name` MUST equal `jobs.<job-id>.name` in `ci.yml` exactly.
+A mismatch leaves the required check permanently pending. The default
+`"Lint + typecheck + test + build"` matches the scaffolded template.
+
+## Step 6 — Verify and report
+
+Re-read the config and confirm the workflow file exists:
+
+```bash
+cat .codebyplan/ci.json
+test -f .github/workflows/ci.yml && echo "ci.yml present" || echo "ci.yml MISSING"
+jq '.workflow' .codebyplan/ci.json
+```
+
+Emit a summary:
+
+```
+CI Setup — Complete
+
+Platform  | unit_test       | typecheck            | build            | lint        | e2e
+--------- | --------------- | -------------------- | ---------------- | ----------- | ---------
+next_js   | pnpm turbo test | pnpm turbo typecheck | pnpm turbo build | eslint.json | e2e.json
+package   | pnpm turbo test | pnpm turbo typecheck | pnpm turbo build | eslint.json | e2e.json
+
+Workflow:  .github/workflows/ci.yml  (present)
+Req check: Lint + typecheck + test + build  (enforced: yes)
+
+Next: push a branch and open a PR to verify the CI gate fires.
+```
+
+## Key Rules
+
+- Idempotent — re-running without `--force` preserves all existing platform keys and the
+  workflow file; it never clobbers a customized `ci.yml`
+- The required-check name MUST match `jobs.<job-id>.name` in `ci.yml` exactly — a mismatch
+  leaves the required check permanently pending
+- Repos without `ci.json` fall back via `codebyplan ci resolve <category>` — this skill
+  writes the config that resolve reads
+- This skill is org-shared; its template twin at
+  `packages/codebyplan-package/templates/skills/cbp-setup-ci/SKILL.md` must stay
+  byte-identical (GATE-6)
+
+## Additional resources
+
+- GitHub Actions workflow anatomy + required-check setup: [reference/github-actions.md](reference/github-actions.md)
+- CI config schema: `packages/codebyplan-package/src/lib/types.ts` (`CiConfig`)
+- Platform detection signals: `packages/codebyplan-package/src/lib/ci-init.ts` (`detectPlatforms`)

package/templates/skills/cbp-setup-ci/reference/github-actions.md

@@ -0,0 +1,100 @@
+# GitHub Actions CI Reference
+
+Workflow anatomy, required status check setup, and troubleshooting for the
+`codebyplan ci` scaffold.
+
+## Overview
+
+GitHub Actions CI runs on every push and pull request. The `codebyplan ci scaffold-workflow`
+command writes `.github/workflows/ci.yml` from a bundled template. The workflow installs
+the Node + pnpm environment, caches dependencies, and runs a single job named
+**Lint + typecheck + test + build** that gates every PR.
+
+Workflow triggers:
+
+```yaml
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+```
+
+## ci.yml Structure
+
+Key sections of the scaffolded workflow:
+
+| Section | What it does |
+| ------- | ------------ |
+| `on: push/pull_request` | Triggers on main pushes + all PRs targeting main |
+| `pnpm/action-setup` | Installs pnpm at `{{PNPM_VERSION}}` (default: 10) |
+| `actions/setup-node` | Installs Node.js at `{{NODE_VERSION}}` (default: 20) |
+| pnpm store path + `actions/cache` | Caches the pnpm store keyed on lockfile hash |
+| `pnpm install --frozen-lockfile` | Clean dep install — fails on lockfile drift |
+| Job step: run checks | `pnpm -w lint && pnpm -w typecheck && pnpm -w test && pnpm -w build` |
+
+The job `name:` field is `Lint + typecheck + test + build`. This string is what GitHub
+registers as the required status check. **Changing this name breaks branch protection until
+the required check entry is updated to match.**
+
+Custom versions:
+
+```bash
+npx codebyplan ci scaffold-workflow --pnpm-version 9 --node-version 22
+```
+
+## Required Status Checks
+
+GitHub branch protection can require a named CI check to pass before any PR merges.
+`codebyplan ci enforce-check` automates this via the GitHub API (`gh api`).
+
+The check name in branch protection is matched against `jobs.<job-id>.name` in the workflow
+YAML. The exact string must match — capitalisation and whitespace matter. The default
+scaffolded name is `Lint + typecheck + test + build`.
+
+**Idempotency**: once enforced, `ci.json` records `workflow.required_check_enforced: true`.
+Re-running `enforce-check` reads this flag and skips the API call.
+
+## Manual Setup (GitHub UI)
+
+Use when `enforce-check` cannot run (missing `gh auth`, insufficient API permissions):
+
+1. Open the repository on GitHub.
+2. Go to **Settings** → **Branches**.
+3. Under **Branch protection rules**, click **Add rule** (or edit the existing rule for `main`).
+4. In **Branch name pattern**, enter `main`.
+5. Check **Require status checks to pass before merging**.
+6. In the search box type `Lint + typecheck + test + build` and select it.
+   (The check must have run at least once for it to appear in the list — push a
+   commit to trigger the workflow first if the search returns nothing.)
+7. Optionally check **Require branches to be up to date before merging**.
+8. Click **Save changes**.
+
+## Troubleshooting
+
+**Required check stuck pending** — almost always a name mismatch. Compare the `name:`
+field under your job in `ci.yml` with the required check name registered in branch
+protection. They must be byte-identical.
+
+**Workflow not triggering on a PR** — verify `on.pull_request.branches` includes the PR's
+base branch. PRs targeting branches not in the list skip the workflow entirely.
+
+**pnpm cache miss on every run** — confirm the cache key uses the lockfile hash:
+
+```yaml
+key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+```
+
+**`gh api` 403 on enforce-check** — the token needs admin write on the repo. For
+fine-grained PATs, set the "Administration" repository permission to Read and write.
+Otherwise use the Manual Setup path above.
+
+## Provider Roadmap
+
+Additional CI provider reference docs are planned:
+
+- `reference/gitlab-ci.md` — GitLab CI/CD pipelines (`.gitlab-ci.yml` structure, required
+  pipeline gates, caching strategy)
+- `reference/circleci.md` — CircleCI (`config.yml`, orbs, required workflow status checks)
+
+These will follow the same structure as this document when authored.

package/templates/skills/cbp-ship/SKILL.md

@@ -110,6 +110,27 @@ If ALL detected surfaces are unconfigured AND the user picks Skip/Mark for all,
 
 ### Step 3 — Build the shipment plan
 
+**cd.json pre-read (when present)**: before selecting deploy variants, read
+`.codebyplan/cd.json` if it exists:
+
+```bash
+cat .codebyplan/cd.json 2>/dev/null
+```
+
+When present, use its per-surface policy to inform variant selection:
+
+| cd.json field | Effect on variant selection |
+| ------------- | --------------------------- |
+| `trigger` | `"push-to-main"` → confirm auto-deploy variant; other values surface as notes |
+| `environment` | Non-empty → note the GitHub Environment name in the plan (approval gate may apply) |
+| `approval_required: true` | Flag the surface as requiring manual approval in the plan summary |
+| `oidc_auth: true` | Note that OIDC auth is used (no long-lived token secret to verify) |
+| `credentials.env_var_names[]` | List expected secrets so the user can verify they are set in the repo |
+| `version_gate: true` | Skip the surface when no version bump detected this checkpoint |
+
+If `.codebyplan/cd.json` is absent (un-migrated repo), fall back to the existing
+filesystem surface detection — no behavior change. Run `/cbp-setup-cd` to migrate.
+
 For each surface with `configured: true`, determine the deploy variant:
 
 | Surface           | Variants                                                                                                                                                                                               |

package/templates/skills/cbp-ship-main/SKILL.md

@@ -79,12 +79,13 @@ If `branch_deleted === true`, run a conditional Supabase preview-branch teardown
 > Lifecycle contract: see [[supabase-branch-lifecycle]].
 
 - Read `FEAT_BRANCH` from the `feat_branch` field in the Step 3 JSON output — NOT from `git branch --show-current`. By the time Step 4 runs, `codebyplan ship` has already checked out the base branch (unless `--keep-feat` was passed), so the live branch is the base, not the feat branch.
-- Call `mcp__supabase__list_branches` with `project_id: rrvtrumtkhrsbhcyrwvf`.
+- Resolve the parent project ref from config: `PARENT_REF=$(jq -r '.shipment.surfaces.supabase.project_ref' .codebyplan/shipment.json)` — never a hardcoded literal. If `PARENT_REF` resolves empty or `null` (no Supabase surface configured), skip the teardown silently — there is no preview branch to remove.
+- Call `mcp__supabase__list_branches` with `project_id: $PARENT_REF`.
 - Scan the returned list for an entry whose `name` exactly equals `$FEAT_BRANCH`.
 - If found: call `mcp__supabase__delete_branch` with its `branch_id`. Report the Supabase delete outcome alongside `pr_url` / `merge_commit` / `branch_deleted`.
 - If not found: no-op silently — the GitHub integration may have already removed the preview branch on PR close; not-found is success, NOT an error.
 - If the `list_branches` call itself fails (network, auth, or a non-success response — distinct from a successful lookup that returns no match): emit a non-blocking warning that the Supabase preview branch for `$FEAT_BRANCH` may still exist and should be verified in the dashboard. Do not treat an API failure as a not-found success.
-- Never delete the parent project `rrvtrumtkhrsbhcyrwvf` itself or any persistent/production branch.
+- Never delete the parent project `$PARENT_REF` itself or any persistent/production branch.
 - This coordinates safely with `/cbp-checkpoint-end` — the existence-checked delete makes any second attempt a harmless no-op.
 
 ## Key Rules

package/templates/skills/cbp-standalone-task-check/SKILL.md

@@ -9,11 +9,11 @@ effort: high
 
 # Standalone Task Check Command
 
-AI-driven production readiness review for standalone tasks. Spawns the `cbp-task-check` agent for thorough verification including user satisfaction discussion. This command is a thin orchestrator — the agent does the heavy lifting.
+AI-driven production readiness review for standalone tasks. Spawns the `cbp-verify-reviewer` agent (`scope: 'task'`) for thorough verification including user satisfaction discussion. This command is a thin orchestrator — the agent does the heavy lifting.
 
-## Inline-Fallback for Spawn Failure
+## Spawn Failure Is A Hard Gate Failure
 
-If the `cbp-task-check` agent spawn fails for any reason, follow the canonical inline-fallback procedure documented in `skills/cbp-round-end/SKILL.md` "Inline-fallback for any spawn failure". Walk every agent phase inline with the same Read/Grep depth the agent would have used — do not skip phases.
+If the `cbp-verify-reviewer` agent spawn fails for any reason, STOP and surface a retry directive per `rules/spawn-failure-is-gate-failure.md`. Do NOT walk the agent's phases inline and self-certify — a missing fresh-context review is a hard gate failure, not a pass. Retry when capacity returns.
 
 ## When Used
 
@@ -34,7 +34,7 @@ Any multi-segment input is an error:
 
 ```
 standalone-task-check: argument `{value}` looks like a checkpoint-task pair.
-Use /cbp-task-check {chk}-{task} for checkpoint-bound tasks.
+Use /cbp-verify {chk}-{task} for checkpoint-bound tasks.
 Standalone tasks use a bare number, e.g. /cbp-standalone-task-check 45.
 ```
 
@@ -44,7 +44,7 @@ Error cases: any multi-segment input, `abc`, `108-`, `-1`, anything with whitesp
 
 - `standalone-task-check 45` → standalone TASK-45
 - `standalone-task-check` (no arg) → active in-progress task via `get_current_standalone_task`
-- `standalone-task-check 141-3` → error: "Use /cbp-task-check {chk}-{task} for checkpoint-bound tasks."
+- `standalone-task-check 141-3` → error: "Use /cbp-verify {chk}-{task} for checkpoint-bound tasks."
 - `standalone-task-check abc` → error: malformed
 
 ### Step 1.5: Get Current Task
@@ -66,7 +66,7 @@ If any rounds still in_progress:
 ## Cannot Run Standalone Task Check
 
 Standalone TASK-[N] has an active round (Round [N]). Complete it first:
-- Run `/cbp-round-update` to finish the round
+- Run `/cbp-verify` to finish the round
 ```
 
 Stop here.
@@ -78,12 +78,13 @@ Stop here.
 
 No checkpoint context is needed — standalone tasks have no parent checkpoint.
 
-### Step 4: Spawn Task Check Agent
+### Step 4: Spawn Verify Reviewer Agent
 
-Spawn `cbp-task-check` agent with full context:
+Spawn `cbp-verify-reviewer` agent (`scope: 'task'`) with full context:
 
 ```yaml
 input:
+  scope: 'task'
   task_number: [N]
   round_number: [total rounds]
   checkpoint: null
@@ -117,7 +118,7 @@ Issues found that need addressing:
 - [issue 2]
 ```
 
-Suggest: `/cbp-round-input` with specific issues. Stop — wait for user.
+Suggest: `/cbp-round-plan` with specific issues. Stop — wait for user.
 
 **NOT READY — needs new task:**